HITRUST Implementation vs. Measured PRISMA Levels: What Is the Difference?

Summary

In the context of the HITRUST CSF, the PRISMA Maturity Levels are designed to help organizations assess their cybersecurity posture and maturity in relation to security controls and practices. The PRISMA maturity levels are structured to reflect different stages of an organization’s ability to effectively implement and manage cybersecurity controls. Two of the PRISMA levels are Implementation and Measured. Both Implementation and Measured both involve control testing; however, they represent two different stages of control maturity with distinct characteristics.

Implementation PRISMA Level

Implementation level compliance indicates that an organization has successfully put in place the required security controls or safeguards as prescribed by HITRUST. However, at this stage, the organization’s processes and controls are primarily focused on meeting the minimum requirements and may still be in the early phases of becoming fully operational and optimized.

Key Characteristics

• Control Implementation: The organization has implemented the necessary policies, procedures, and technologies to address the relevant HITRUST CSF requirements. This typically means that security controls have been configured and are active, but the focus is on ensuring that basic requirements are met.
• Basic Compliance: The organization can demonstrate that its controls are implemented, but they may not yet be fully optimized or consistently followed across all areas of the organization.
• Initial Stage: The system and process configurations are in place, but some aspects (such as consistent enforcement or automated monitoring) might still be in progress.

Example

An organization has implemented multi-factor authentication (MFA) for all users as required by HITRUST, but the process may still be manual in nature (e.g., users are manually enrolled, and there’s no automation for prompt deactivation or enforcement). The control is implemented but may not be fully optimized or operating at a high level of maturity.

Measured PRISMA Level

Represents the stage where the organization not only implements the controls but also actively measures, monitors, and evaluates the effectiveness of those controls. This PRISMA level demonstrates that the organization is moving beyond simply "checking the box" for control implementation and is focused on assessing the performance of its security measures over time.

Key Characteristics

• Performance Monitoring: The organization is actively tracking the performance of its security controls. The focus shifts from just implementation to ensuring that the controls are functioning as intended and producing measurable outcomes (e.g., effectiveness in detecting and preventing threats).
• Ongoing Evaluation and Improvement: The organization is measuring the impact of its security practices through ongoing assessments, audits, and reviews. This includes the collection of data to gauge how well security controls are working and whether they need adjustments or refinements.
• Continuous Improvement: There is an emphasis on optimizing the processes, implementing metrics, and using feedback loops to drive continuous improvement. The organization ensures that controls are not just in place but also evolving based on their performance and the organization's needs.

Example

An organization has implemented multi-factor authentication (MFA) for all users, but it goes beyond implementation by regularly measuring the effectiveness of MFA in preventing unauthorized access attempts. It might track metrics such as the number of login failures, monitor any MFA-related incidents, and conduct regular audits to ensure MFA usage remains optimal. Any gaps identified in the process would trigger a refinement process to make MFA more secure or user-friendly.

Key Differences Between Implementation and Measured PRISMA Levels

Conclusion

• The Implementation level represents the stage where security controls are simply in place to meet the necessary requirements but may not be systematically managed or optimized.
• The Measured level, on the other hand, signifies a more mature stage where controls are actively monitored, evaluated, and optimized to ensure they are performing effectively.